This will unify all the handlers to use first uppercase letter for
ansible-lint to stop complaining.
I went through all `notify:` occurrences and fixed them by running
```
set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep
-rlz "$TEXT" . | xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g"
```
Then I went through all the changes and removed the ones that wasn't
expected to be changed.
Fixes https://pagure.io/fedora-infrastructure/issue/12391
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
fix 1900 failures of the following case issue:
`name[casing]: All names should start with an uppercase letter.`
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
On rhel and f41+ there is a sssd user, so we should use that.
If we don't, sssd will change the ownership on restart, meaning we flip
it back and forth each time we run the playbook.
remember to remove this when fedora 40 is all gone from infra
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We change this to root/root and then restart sssd and it changes it
back. So, lets do this right and let it be sssd/sssd.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This reverts commit df1445a64b.
Turns out we do have to enable sshd on client enroll because it passes
'ssh' to services in sssd.conf, which we need to get ssh keys for users.
:( Instead will try another approach.
In RHEL9, ipa-enroll-client by default adds a
/etc/ssh/sshd_config.d/04-ipa.conf file with some sshd configuration.
Almost all of these things are things we already set in our sshd_config,
but one of them causes sshd to enable password (and 2nd factor required)
auth. We don't want this, we only want to allow ssh keys.
So, pass --no-sshd to enrollment and that should prevent it from
messing with our sshd config.
I have also removed this file and reloaded sshd all around.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
There's a real user 'mock' who we want to allow on ipsilon (so they can
login to anything) and people02 (so they can get to their people space),
but no where else, since we ened the local mock user on places like
builders, etc.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have a legit user who has the 'mock' account. So, we allow the ipa
one to override on people02 (since they have a shell account there), but
keep the filer everywhere else where we may run 'mock' the command.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
For the maintainer_tests instances we just want to allow anyone with
shell access ability to sudo with no password. In this case asking for
password/tokens could provide a MITM attack vector. This matches up with
the way they were setup before with fas2.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to also add mock to sssd ignore groups/users, but for now since
we are frozen, only do this in staging. After freeze, we should merge
this back into one file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We don't want a custom /etc/hosts installed on every host, so bring back
the conditional.
Improves commit 7a2024398f.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Move the vpn ./. base logic from the ipa/client role into the hosts
role, so that applying the latter doesn't apply the base profile on VPN
hosts.
Fixes: fedora-infrastructure#9822
Signed-off-by: Nils Philippsen <nils@redhat.com>
Currently /etc/nsswitch.conf has configurations like
passwd: sss files
shadow: files sss
group: sss files
The problem is that to make sure that certain users could not be
created in IPA (like nobody root etc), they were already created but
in a restricted group. In order to allow sss to work for postfix, nfs,
nobody and such, the sssd.conf needs to ignore them in the nss
section. This adds a file which will do that.
Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
If either `ipa_client_shell_groups` and `ipa_client_sudo_groups` are
unset or empty, sysadmin-main will still be able to login and sudo.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The previous implementation didn't work because of a chicken-and-egg
problem: To add the batcave shell groups to those specifically for
bastion, it needs to look them up, but they aren't set yet (probably
because `batcave` comes after `bastion`).
Now, one can (optionally) set `ipa_client_shell_groups_inherit_from`, a
list of Ansible group names whose `ipa_client_shell_groups` will be
combined with that of the host itself. This is more robust because it's
done late, after variables are set from the inventory.
Signed-off-by: Nils Philippsen <nils@redhat.com>
This requires the canonical names of IPA servers to be mapped to their
IP addresses on the VPN as well as specifying the IPA server explicitly
when enrolling clients.
Signed-off-by: Nils Philippsen <nils@redhat.com>
